bugzilla-daemon at mindrot.org
2002-Jul-18 04:33 UTC
[Bug 342] RhostsRSAAuthentication does not work with 3.4p1
http://bugzilla.mindrot.org/show_bug.cgi?id=342
stevesk at pobox.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From stevesk at pobox.com 2002-07-18 14:33 -------
ssh is by default not set-uid root.
re-open if this is the the cause.
RhostsRSAAuthentication
Specifies whether to try rhosts based authentication with RSA
host authentication. The argument must be ``yes'' or
``no''. The
default is ``no''. This option applies to protocol version
1 only
and requires ssh to be setuid root.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Jul-30 23:14 UTC
[Bug 342] RhostsRSAAuthentication does not work with 3.4p1
http://bugzilla.mindrot.org/show_bug.cgi?id=342
djast at cs.toronto.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From djast at cs.toronto.edu 2002-07-31 09:14
-------
When PrivilegeSeparation is enabled, RhostsRSAAuthentication seems to look up
the connecting host in the known_hosts file by IP address rather than by name.
The tests below were run as root on the client side, so setuid is not an issue.
With UsePrivilegeSeparation=yes, sshd -d -d -d reports:
[...]
debug1: Attempting authentication for root.
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for root from 128.100.2.31 port 56036
debug3: mm_request_receive entering
debug1: Trying rhosts with RSA host authentication for client user root
debug3: Trying to reverse map address 128.100.2.31.
debug1: Rhosts RSA authentication: canonical host 128.100.2.31
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 1414a0
debug3: Trying to reverse map address 128.100.2.31.
debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug1: restore_uid: 0/1
debug2: check_key_in_hostfiles: key not found for 128.100.2.31
debug3: mm_answer_keyallowed: key 1414a0 is disallowed
debug3: mm_append_debug: Appending debug messages for child
debug3: mm_request_send entering: type 21
debug3: mm_send_debug: Sending debug: Accepted by .rhosts.
debug3: mm_send_debug: Sending debug: Accepted host jane.cs ip 128.100.2.31
client_user root server_user root
debug1: Rhosts with RSA host authentication denied: unknown or invalid host key
Failed rhosts-rsa for root from 128.100.2.31 port 56036 ruser root
With UsePrivilegeSeparation=no:
[...]
debug1: Attempting authentication for root.
debug1: Trying rhosts with RSA host authentication for client user root
debug3: Trying to reverse map address 128.100.2.31.
debug1: Rhosts RSA authentication: canonical host jane.cs
debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts
debug3: check_host_in_hostfile: match line 11
debug2: check_key_in_hostfiles: key ok for jane.cs
Rhosts with RSA host authentication accepted for root, root on jane.cs.
Accepted rhosts-rsa for root from 128.100.2.31 port 56048 ruser root
The first case fails and the second succeeds, because the sshd_known_hosts file
contains an entry for *.cs but not for 128.100.2.31.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.